Is cryptography where security took the wrong branch?

[Michael Shields]

In message <3F55B354.CACFB16 at systemics.com>,
Ian Grigg <iang at systemics.com> wrote:
> One thing that has been on my mind lately is how
> to define success of a crypto protocol.

There are two needs a security protocol can address.  One is the need
to prevent or mitigate real attacks; the other is to make people feel
less afraid.

HTTPS might or might not have addressed a major problem, but it did
address a major fear.  Many people -- not only consumers, but also
merchants, issuing banks, and processing companies -- were concerned
about using credit card numbers on the Internet in 1995, when there
was no viable way to buy anything online.  Netscape designed an
effective protocol, deployed it widely, and made it visible to
end-users.  It offered a credible promise that you could trust your
session without trusting the network, and that's what made people
willing to do large-scale online commerce and banking.  This is not
to be underestimated.

At the same time, Netscape put visible crypto into the hands of people
who had never used crypto before, and in many cases had never even
owned a computer before.  This did a great deal to counter the
rhetoric about encryption being a tool for drug dealers and child
pornographers.

The physical security industry has known for a long time that if you
want something deployed, you shouldn't be looking at what problems are
interesting or even at what problems people actually have.  You should
be looking at what makes people afraid.  Fear drives deployment.
-- 
Shields.


---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com